[systemd-devel] [PATCH] Add AppArmor profile switching
Lennart Poettering
lennart at poettering.net
Fri Feb 14 05:36:49 PST 2014
On Fri, 14.02.14 14:05, Michael Scherer (misc at zarb.org) wrote:
> > > SD_BUS_PROPERTY("SELinuxContext", "s", NULL, offsetof(ExecContext, selinux_context), SD_BUS_VTABLE_PROPERTY_CONST),
> > > + SD_BUS_PROPERTY("AppArmorProfile", "s", NULL,
> > > offsetof(ExecContext, apparmor_profile),
> > > SD_BUS_VTABLE_PROPERTY_CONST),
> >
> > Hmm, so thinking about this, we should normalize both these options and
> > turn the "s" signature into "(bs)", i.e. a structure made of a bool and
> > the label, where the bool inidcates whether a non-existing label shall
> > be ignored or not. We have the same split up when serializing exec
> > commands, and we should do that here too...
>
> So, you want a 2nd property SELinuxcontextIgnore/AppArmorProfileIgnore
> that would be True when SELinuxContext/AppArmorProfile is prefixed by
> '-', or also when SELinux/AppArmor is disabled ?
Nope. Just one property as struct.
> Also, SELinuxContext would be the context without the leading '-',
> correct ?
Correct. The "-" would basically just be a way to denote this in the
unit file, but never stored like that internally nor exported over the bus.
> > > @@ -140,6 +140,8 @@ struct ExecContext {
> > >
> > > char *selinux_context;
> > >
> > > + char *apparmor_profile;
> > > +
> >
> > Similar as above, I'd like this to be stored normalized, i.e.:
> >
> > bool selinux_context_ignore;
> > char *selinux_context;
> >
> > bool apparmor_profile_ignore;
> > char *apparmor_profile;
> >
> > Or similar...
>
> So that would requires a custom change to load-fragment.c, so I guess
> that's a separate task as we need to apply that to selinuxcontext.
Yupp, there would be two parse functions that can handle
this. (internally, they can probably just invoke a single function that
takes pointers to both the char* and the bool variable)
> So I will provides the change for SELinuxContext, then once accepted,
> send a v3 of the apparmor patch with the code following the "style" of
> SELinuxContext, is this ok ?
Feel free to just send them in a series.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list